GDPR at a glance

Insights

The EU General Data Protection Regulation (GDPR), entering into force on May 25th, 2018, replaces a 1995 EU Directive on data protection. Based on its expertise on privacy and data protection Cabinet SAMMAN has been appointed by several business organizations to work and be part of the dialogue on the GDPR implementation process with supervisory authorities and other public officials. Please find below a recap of the main elements of the GDPR.

Implementation

As a Regulation, the GDPR is directly applicable in all European Union (EU) Member States, although it leaves them a little room to maneuver. Several governments have undertaken work on national provisions to this end, including France (ongoing) and Germany (adopted). The exact regulatory framework should be confirmed after the implementation of national laws, most likely without affecting the general provisions.

Enforcement

Policy makers and regulators have iterated on several occasions that their philosophy and approach to the GDPR is to support and help stakeholders to boost their privacy practices and comply with GDPR rules. Hence, the deadline of May 25th, 2018, should not sound the starter gun for sanctions.

Lead supervisory authority

The GDPR established the lead supervisory authority, responsible for supervising cross-border processing within the EU. The Data Protection Authority (DPA) of the main establishment of an organization should fill this role, but the GDPR leaves leeway for interpretation.

Accountability tools

The GDPR places great emphasis on the principle of accountability, which offers stakeholders the possibility of applying a variety of voluntary compliance tools, e.g. codes of conduct, certifications, data protection seals and marks;

While the accountability principle represents a new approach in terms of implementation, in substance, the GDPR represents an evolution rather than a revolution in EU data protection standards.

Some key provisions, established in the previous Directive, are further strengthened, e.g. sharing of the responsibility between organizations involved in personal data processing(controller and processor), guarantees provided to data subjects (data portability, right to be forgotten, consent, etc.).

Risk-based approach

The accountability principle goes hand in hand with a risk-based approach encouraged by the GDPR. Organizations will have to assess possible risks of their processing activities, identify whichever are low or “high risks”, then apply appropriate protection measures.

Data security

Data security obligations are maintained as compared to the 1995 Directive, but the GDPR recommends a list of security tools such as:pseudonymizing, encryption…

Breach notifications

The GDPR provides for the conditions of notifications with shared but different responsibilities for both controllers and processors to notify breaches depending on the level of risk.

Both controllers and processors must, as a rule of thumb, notify breaches. Exceptions are awaiting clarification from regulators.

Impact on UK-based companies

‘Brexit’ may not have an impact on UK-based companies, provided the UK government adapts its personal data protection rules to the GDPR, as so far planned, and provided the EU and the UK reach an agreement on a post-Brexit cooperation framework. The UK’s proposal might be modelled on the current cooperation model between the EU and Norway, Liechtenstein and Iceland.

The GDPR maintains several legal provisions that allow the transfer of EU data subjects’ personal data to recipients in third countries, i.e. outside the European Union.

Administrative fines

The GDPR strengthens regulators’ powers, notably by enabling them to apply particularly hefty administrative fines, ofup to €20,000,000, or, in the case of an undertaking, of up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Public and Private sector initiatives

Article 29 Working Party (WP29), the informal body of supervisory authorities in the EU, adopted guidelines on specific GDPR provisions, and should issue new ones in the following period.